[Buildroot] [git commit branch/2025.05.x] package/cups: security bump to v2.4.14

Titouan Christophe titouan.christophe at mind.be
Tue Sep 30 09:10:04 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=4aef99b258a55baa740350118fe05939e002c581
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2025.05.x

See the release notes:

- https://github.com/OpenPrinting/cups/releases/tag/v2.4.13
- https://github.com/OpenPrinting/cups/releases/tag/v2.4.14

This fixes the following vulnerabilities:
- CVE-2025-58060:
    OpenPrinting CUPS is an open source printing system for Linux and
    other Unix-like operating systems. In versions 2.4.12 and earlier,
    when the `AuthType` is set to anything but `Basic`, if the request
    contains an `Authorization: Basic ...` header, the password is not
    checked. This results in authentication bypass. Any configuration that
    allows an `AuthType` that is not `Basic` is affected. Version 2.4.13
    fixes the issue.
    https://www.cve.org/CVERecord?id=CVE-2025-58060

- CVE-2025-58364:
    OpenPrinting CUPS is an open source printing system for Linux and
    other Unix-like operating systems. In versions 2.4.12 and earlier, an
    unsafe deserialization and validation of printer attributes causes
    null dereference in the libcups library. This is a remote DoS
    vulnerability available in local subnet in default configurations. It
    can cause the cups & cups-browsed to crash, on all the machines in
    local network who are listening for printers (so by default for all
    regular linux machines). On systems where the vulnerability
    CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was
    not fixed, and the firewall on the machine does not reject incoming
    communication to IPP port, and the machine is set to be available to
    public internet, attack vector "Network" is possible. The current
    versions of CUPS and cups-browsed projects have the attack vector
    "Adjacent" in their default configurations. Version 2.4.13 contains a
    patch for CVE-2025-58364.
    https://www.cve.org/CVERecord?id=CVE-2025-58364

Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit 89fd61a127796813f50a1e77076fec3251aa4109)
Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
---
 package/cups/cups.hash | 2 +-
 package/cups/cups.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/cups/cups.hash b/package/cups/cups.hash
index e363a761eb..a200a82deb 100644
--- a/package/cups/cups.hash
+++ b/package/cups/cups.hash
@@ -1,4 +1,4 @@
 # Locally calculated:
-sha256  b1dde191a4ae2760c47220c82ca6155a28c382701e6c1a0159d1054990231d59  cups-2.4.12-source.tar.gz
+sha256  660288020dd6f79caf799811c4c1a3207a48689899ac2093959d70a3bdcb7699  cups-2.4.14-source.tar.gz
 sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
 sha256  977206f041b9a6f47ac00531e1242c0fab7063da71178f8d868b167b70866b6d  NOTICE
diff --git a/package/cups/cups.mk b/package/cups/cups.mk
index 21fe6a7c5e..e6de671174 100644
--- a/package/cups/cups.mk
+++ b/package/cups/cups.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CUPS_VERSION = 2.4.12
+CUPS_VERSION = 2.4.14
 CUPS_SOURCE = cups-$(CUPS_VERSION)-source.tar.gz
 CUPS_SITE = https://github.com/OpenPrinting/cups/releases/download/v$(CUPS_VERSION)
 CUPS_LICENSE = Apache-2.0 with GPL-2.0/LGPL-2.0 exception

More information about the buildroot mailing list